Powerful New Encryption Standard Delayed by Weakness

By John Markoff

A Government standards group has delayed the adoption of a new data scrambling
standard for protecting the world's most sensitive financial transactions,
including most banks' electronic funds transfers, after the discovery by
two computer scientists of a weakness that could allow the code to be cracked.

The flaw was discovered by Eli Biham, a well-known cryptographer at the Technion
research institution in Israel, and by Lars Knudsen at the University of
Bergen in Norway. A paper detailing their discovery is to be presented at
a technical conference in May.

In their paper, which is available on the
Technion
Web site, Mr. Biham and Mr. Knudsen report that an ultra-strong version
of the United States Data Encryption Standard known as Triple D.E.S. can
under certain circumstances be reduced in strength so that it is no more
robust than the current encryption algorithm, which financial institutions
have widely used as a security mechanism for several decades.

Computer security experts are eager to replace the current code because it
has become vulnerable to new code-cracking techniques. When the code was
developed, its designers had predicted that if it could be broken it would
take hundreds of years, requiring constant trial-and-error calculations by
the world's fastest supercomputers.

But the code was publicly broken for the first time last year by a loosely
organized group of computer users just to show that it could be done. Thousands
of members of the group volunteered the use of their own computers, ranging
from desktop PC's to supercomputers, whose processors were combined over
the Internet to attack the problem over a five-month period with an approach
known as massively distributed computing. In distributed computing, each
computer tests just a few of a vast array of possible keys, or numbers, to
break the code.

The strength of most modern encryption systems is determined by the length
of the numerical key that is used to encrypt the information. While the proposed
new standard uses a key the same length as the current key -- 56 bits --
it encrypts the message three times with three different keys. For each key,
there are several possible ways of encrypting the data, known as modes. Mr.
Biham and Mr. Knudsen said the flaw appeared in a single mode of the Triple
D.E.S. proposal, which is before a subcommittee of the American National
Standards Institute.

The scientists stressed in an interview that their paper, which also proposes
several modifications to strengthen the standard, described only a theoretical
weakness and not a practical means of breaking the Triple D.E.S. But they
suggested that the weakness was cause for concern.

As a result of the distribution of the paper within the subcommittee, it
decided to drop the vulnerable mode of the proposed standard, said the chairman,
Blake Greenlee.

"My hat's off to Eli; he did a nice job," Mr. Greenlee said. The subcommittee
that is evaluating the standards is known as
X9.F1, and it oversees the development of
new cryptographic tools.

The subcommittee is now awaiting final approval of its revised standard by
the entire committee, he said. Once the committee gives its approval, there
is a 60-day public comment period before the new standard takes effect.

The Triple D.E.S. is intended to serve as a stopgap measure while the National
Institute for Standards and Technology completes work on a still more secure
design known as the
Advanced Encryption
Standard, or A.E.S. Competing proposals for that system, which is intended
to protect computer data transmissions well into the next century, will be
submitted this summer.

The A.E.S. will have key lengths of 128, 192 and 256 bits, as compared with
the current 56-bit length of D.E.S., placing it safely beyond the reach of
the most powerful computers now anticipated for the future.

The original D.E.S. key is a secret number that is used to perform a series
of mathematical scrambling operations on a message or on other computer data.
When the scrambled message is received, the same secret key is used to reverse
the process and unscramble the data.

The current D.E.S. is based on research that was originally done at the
International Business Machines Corporation's Thomas J. Watson Research
Laboratory in the 1970's as part of a project code-named "Lucifer." It was
adopted as a national standard in 1977.

30 March 1998, PC Week:

New Crypto Standards

With a deadline for final submissions two months away, security vendors are
beginning to unveil the algorithms they hope will replace DES.

Several security companies and cryptographers, including
Cylink Corp. and independent cryptographer
Bruce Schneier, will soon unveil
their proposals for the Advanced Encryption Standard.

Cylink has had a team of cryptographers working on a Data Encryption Standard
replacement since last summer, said Chuck Williams, chief scientist at the
Sunnyvale, Calif., company. Dubbed Safer+, the new algorithm will come in
128- bit, 192-bit and 256-bit key lengths, with a block size of 128 bits.

Schneier will submit a new version of his popular Blowfish algorithm, called
Blowfish 128. It increases the key size and block size of Blowfish and reduces
the time it takes to set up a key.

DES was created more than 20 years ago to become the symmetric, or private
key, standard for the federal government.

Officials of NAI, which in the fall purchased the crypto developer Pretty
Good Privacy Inc., said they don't know much about the encryption technology
they are licensing from cnLabs. All they know, they said, is what they asked
for: the functional equivalent of PGP's strong cryptography.

cnLabs will sell the strong encryption to NAI's subsidiary in the Netherlands,
where it will be installed on NAI products, said Peter Watkins, vice president
and general manager of NAI's security division, in Santa Clara, Calif.

The deal will enable NAI to skirt the U.S. government's current encryption
export laws. With some exceptions, the Commerce Department bars export of
encryption software that uses keys longer than 40 bits. Keys of 56 bits can
be used if a company promises to build in a key recovery mechanism that would
give law enforcement officials a back door into the encrypted data. Even
talking with a foreign company about how to use strong encryption could be
construed as a felony violation of the law.

Watkins said NAI contacted Commerce officials two weeks ago and announced
its intent to work out the deal with the Swiss lab but had not heard back
from them.

30 March 1998, Business Wire:

Canada`s Cryptography Policy Debate Begins in Ottawa March 31

The meeting will focus on the Government of Canada's recent introduction
of the discussion paper entitled (A Cryptography Policy Framework for Electronic
Commerce,) which is available in electronic format at

With this report, the government has initiated a unique collaborative effort
by proactively seeking industry and general public feedback on policy issues
that relate to cryptography and electronic commerce.

The following company representatives will participate in the discussion
which will be chaired by Mr. Alan Pickering, former Director-General of the
CSE(Communications Security Establishment):

Entrust expects that the policy and business issues discussed will transcend
geographic borders. A report on the views expressed during the meeting will
be submitted to government on behalf of the participating companies. Logistical
Details:

Date: Tuesday, March 31, 1998

Time: 1 p.m.

Place: Provinces II Ballroom, Westin Hotel, 11

Colonel By Drive, Ottawa, Ontario.

Entrust has established a teleconference line for those media who cannot
attend the session in person. To participate, please dial 1-800-599-9440
at approximately 12:50 p.m. on Tuesday, March 31, 1998. The passcode is 639603
and the conference number is 847746. You will be in listen-only mode through
the majority of the conference, but the Chair will break the discussion
periodically in order for the participants to field questions from the observers.

Issues for debate include the following:

-- How best to balance consumer, business, law enforcement and security and
interests.